Protecting Vital Data With NIST Framework - Patrick Kerpan's Secure260 presentation 2016

Protecting vital data with
NIST Framework

Tweet along: #Sec360
@pjktech @cohesivenet
About me
Patrick Kerpan
CEO at Cohesive Networks
@pjktech
BANKS

About Cohesive Networks
2,000+ customers
protect cloud-
based applications
User-controlled
security &
connectivity at the
top of the cloud
Cloud is creating
demand for more
connectivity and
security
honest approach to cloud security

Agenda
• standards, teaching, testing and certifying
• sustained cyber sieges
• priority shifts toward risk-based models
• NIST Cybersecurity Framework overview
• applying risk based cybersecurity
• NIST Cybersecurity Framework for all

standards, teaching, testing and certifying

Pre-NIST Cybersecurity Framework
• International Organization for Standardization ISO/
IEC 27005:2011
• Electricity Sub-Sector Cybersecurity Risk
Management Process (RMP) guideline
• Committee of Sponsoring Organizations
(Accounting Orgs) (COSO)
• American Institute of CPA's (AICPA) SOC 2 & SAS70
• American Institute of CPA's (AICPA) - Generally
Accepted Privacy PrinciplesGAPP (August 2009)
• Shared Assessments ORG Vendor Assessments
(AUP v5.0 & SIG v6.0)
• FTC Children's Online Privacy Protection Rule
(COPPA)
• European Union Agency for Network and
Information Security (ENISA) IAF
• European Union Data Protection Directive 95/46/
EC
• GSA's Federal Risk and Authorization Management
Program (FedRAMP) Cloud Security Controls
• Family Educational and Privacy Rights Act (FERPA)
• Health Insurance Portability and Accountability Act
(HIPAA)
• Health Information Technology for Economic and
Clinical Health (HITECH) Act
• Dept. of State International Traﬃc in Arms
Regulations ITAR
• UK Royal Mail - Jericho Forum on De-
Perimeterisation
• and on and on…

The Big 10
International Organization for Standardization ISO 31000:2009
International Organization for Standardization ISO/IEC 27001 2013
NIST Special Publication NIST 800-53r3 & r4
Payment Card Industry Security Standards Council Data Data Security Standard PCI DSS v3.0
International Society of Automation Industrial Automation And Controls ISA-IAC 62443-2-1:2009
Information Systems Audit and Control Association (ISACA) COBIT 5
Cloud Security Alliance - Enterprise Architecture & Guidance CSA EAG v3.0
SANS Institute Council on Cybersecurity's Critical Security Controls for Eﬀective Cyber Defense v5
DHS Industrial Control Systems Cyber Emergency Response Team (ICS-CERT)
Cybersecurity Evaluation Tool (CSET®)
Department of Energy (DOE) Cybersecurity Capability Maturity Model C2M2

Certification is expensive
Class Test

the fog of more
Software Tools
Standards
Training Classes
Certiﬁcation Badges
Certiﬁcation, PenTest, & Audit Services
Vulnerability Databases
Guidance & Best Practices
Catalogs of Controls
Checklists
Vendor Benchmarks
Recommendations, Regulations &
Requirements
Threat Information Feeds
Risk Management Frameworks
Competing Options, Priorities, Opinions, and Claims

sustained cyber siege

new cyber realities
Attacks have become
professional: hackers,
criminals or foreign
governments.
In the post-Sony era,
all servers “on a wire”
are compromised or
targets.
Regulatory
implementation and
reporting demands
are increasing.

target: governments

target: healthcare

target: retail

target: you

shifting priorities

DHS mandate: organize & coordinate
Image credit: Beldin
Executive Order 13636:  
Improving Critical Infrastructure
Cybersecurity
• Increase Information Sharing
• Protect Privacy & Civil Liberties
• Consult with Everyone
• Have Commerce / NIST Create Cybersecurity Framework
• Voluntary Adoption Program w/ Incentives
• Identify Greatest Risks
• Determine Need for More Regulation

Why:
NIST Cybersecurity Framework
Pros
•Organized
•One standard format
•Common language
•Unifying process
•Defense in breadth & depth
•Incentives
•Risk management focused
•Free
Cons
•Redundant
•Yet another framework
•Enforcement & penalties
•Sustained cyber-siege
•Not technical
•Not designed for small firms
•Technology debt?

Who:
16 critical infrastructure sectors
Nuclear Chemical Facilities CommsManufacturing EmergencyDamsDefense
Financial Energy Agriculture HealthWater IT
Gov
Facilities
Transportation
Image credit: dhs.gov

NIST Framework core

just one subcategory:

NIST Framework tiers of maturity
source: PwC Why you should adopt the NIST Cybersecurity Framework

NIST Cybersecurity Framework is *voluntary*
82% of US federal agencies fully or partially adopting it
53% of organizations outside the federal government adopted it
2016 PwC State of Information Security:
the 2 most frequently implemented risk-based guidelines are ISO
27001 and NIST Cybersecurity Framework

applying risk based cybersecurity

traditional vs. risk-based security
Traditional Risk-Based
Audit focus Business focus
Transation-based Process-based
Compliance objective Customer focus
Policies & procedures focus Risk management focus
Multi-year audit coverage Continual risk-reassessment coverage
Policy adherence Change facilitator
Budgeted cost center Accountability for performance improvement
resultsCareer auditors Diversiﬁed knowledge and experience
Methodology: Focus on policies,
transactions, and compliance
Methodology: Focus on goals, strategies, and risk
management processes

risk-based security frameworks
2016 PwC State of Information Security:
91% of companies have already adopted a risk-based cybersecurity
framework
Risk-based security can help:
• identify and prioritize risks
• gauge the maturity of cybersecurity practices
• better communicate internally and externally
• design, measure and monitor goals
• build program that centers around safety and security of data

NIST Cybersecurity Framework for all

how: NIST Cybersecurity for all
Step 1: Prioritize and Scope
Step 2: Orient
Step 3: Create a Current Proﬁle
Step 4: Conduct a Risk Assessment
Step 5: Create a Target Proﬁle
Step 6: Determine, Analyze, and Prioritize Gaps
Step 7: Implement Action Plan
Repeat The Steps As Needed (Rinse and Repeat)

Chicago style cybersecurity
Innovative
blend proven style with new technologies
Pragmatic
work within constraints - shifting sand (literally!)
Transparent
more opportunities to allow more light internally
Tenacious
driven by the Mid-Western work ethic
Creative
willingness to build solutions rather than empires The Marquette Building
Image via the MacArthur Foundation

roll your own NIST Manual
INTRODUCTION
RISK MANAGEMENT STRATEGY STATEMENT
Risk Management Process
Integrated Risk Management Program
External Participation
SCOPE OF RISK MANAGEMENT PROGRAM
Asset, Change, and Configuration Management
Cybersecurity Program Management
Supply Chain and External Dependencies
Management
Identity and Access Management
Event and Incident Response, Continuity of
Operations
Information Sharing and Communications
Risk Management
Situational Awareness
Threat and Vulnerability Management
Workforce Management
INFRASTRUCTURE UPGRADE PRIORITIES
Current CyberSecurity Profile
Target Profile
Technology Debt
CYBERSECURITY ROADMAP & MILESTONES
Appendix 1:
REGISTRY OF PRIMARY CYBERSECURITY RISKS
Appendix 2:
REGISTRY OF STAKEHOLDERS AND USERS
Etc.
Cybersecurity Risk Management & Network Operations Center Manual

conduct app-specific self-evaluations
Self evaluations available -
Just go download a template!

case study: LocusView
Natural gas SaaS provider streamlines audit processes
customer network
Public Cloud
Overlay Network
IPsec Tunnel
Firewall / IPsec
Cloud Server
AWS ELB
VNS3 Controller
public internet
user traﬃc
“We wanted to look at a bigger picture than just natural gas and
current regulations.”
Tim Hopper - GIS Professional LocusView
Challenge
An increasing stream of requests for documentation,
certifications, and penetration test results
Solution
Used NIST Framework to map the compliance areas that
matter most to their organization, clients
Outcome
LocusView has passed initial audits and the first of several
penetration tests

conclusions
• Standards are still relevant — Map from standards, not to
• Shift from audit-heavy compliance to risk-based prevention
• Prioritize current compliance over post-mortem disaster
recovery
• Holistic security for each business unit
• NIST Framework can make everyone’s jobs less complicated

Q&A
Stay in touch:
@pjktech
@cohesivenet
contactme@cohesive.net

Protecting Vital Data With NIST Framework - Patrick Kerpan's Secure260 presentation 2016

More Related Content

What's hot

Similar to Protecting Vital Data With NIST Framework - Patrick Kerpan's Secure260 presentation 2016

More from Cohesive Networks

Recently uploaded

Protecting Vital Data With NIST Framework - Patrick Kerpan's Secure260 presentation 2016